Re: Building OpenSSL for EFI
I would like (need) to get OpenSSL working in the EFI [...] In the EDK-2, this directory: edk2/trunk/edk2/CryptoPkg/Library/OpensslLib/* showd you how to patch, configure, and build OpenSSL in the EDK-2 environment. Also look in some nearby include directories for OpenSSL headers and install scripts. AFAIK, besides this list, the only other place to talk about UEFI OpenSSL issues would be on the EDK-2 list. There are a few OpenSSL-related msgs on the EDK-2 list; That list is on YahooGroups, which has suboptimal archives; but in the last few months, someone setup Gmake.org mirrors of most of the EDK-2 lists. HTH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Can someone recommend a good SSL protocol analyzer for Windows ?
I have been trying that. it shows handshake for TLSv1 for some sites and not for others. I might be using it wrong.. but am not also sure if it supports analyzing https by default.. Have you tried it ? If Wireshark doesn't work, try Microsoft Network Monitor (NetMon). Wireshark is written using OpenSSL. NetMon is written using Microosft's CryptoAPI, and doesn't use OpenSSL. In case that makes a difference in your SSL packet analysis. It is not open source. It is freeware, supplied by the platform vendor. Actually, part of it is open source, some of the MS filters are on CodePlex.com. NetMon has 2 advantages over Wireshark: 1) Written by platform vendor with their understanding of the protocol they implemented, so useful for some nuances of Windows-centric protocols (esp. MS Office-related). [1] 2) Most (all?) open source alternatives rely on WinPCap, which hasn't been maintained in years[2], unlike Unix LibPcap, or Microsoft NetMon driver. So modern sniffing on Windows can have problems with Wireshark and other WinPCap-dependent software. [1]http://social.technet.microsoft.com/Forums/en/netmon/thread/86c8614c-d0f1-42d0-814c-e85529964861 [2]http://www.winpcap.org/pipermail/winpcap-users/2012-December/004690.html MSDN tries hard to show you outdated NetMon 2.x info, pay attention only to 3.x pages. http://www.microsoft.com/en-us/download/details.aspx?id=4865 http://nmexperts.codeplex.com/ http://nmparsers.codeplex.com/ Also, depending on your SSL usage, try Microsoft Fiddler (Fiddler2). It is their developer tool for analysing web app dev, including -- I believe -- HTTPS traffic. Useful in same case as #1 above. http://www.fiddler2.com/ Just for grins, try using Wireshark on Linux, using LibPcap, instead of WinPcap, to see if that impacts your results. HTH. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. Additionally, there are professional OpenSSL consultants you can use for help. It would be more productive to submit bugs and patches, instead of a litany :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL support of Intel AES instruction set
I remember seeing somewhere that OpenSSL supports Intel AES instruction set. If so, which release is that and what flag is needed to enable it. Does the 'no-asm' flag in 'Configure' disable the use of these instructions? Look on the Contribution page. http://openssl.org/contrib/ Look at the README inside the tarball: http://openssl.org/contrib/intel-accel-1.5.tar.gz HTH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: UEFI Authenticode Code - is it any good?
I forwarded this to the EFI list, for a response from Intel: http://sourceforge.net/mailarchive/message.php?msg_id=29329799 Original Message Subject: Re: [edk2] Fwd: Re: UEFI Authenticode Code - is it any good? Date: Tue, 29 May 2012 08:47:51 + From: Long, Qin qin.l...@intel.com Reply-To: edk2-de...@lists.sourceforge.net To: edk2-de...@lists.sourceforge.net edk2-de...@lists.sourceforge.net Yes. We are looking at this. Strictly speaking, it's one workaround solution to meet intermediate certificate support for UEFI Authenticode and secure boot. OpenSSL has no direct supports for this, which always try to verify the whole cert chain. We introduced one callback mechanism (openssl-native) to bypass its strict chain checking, and also try to avoid to bring more security risks. For the trusted cert store mentioned below, we used authenticated variable mechanism for this support. It's also one important UEFI security feature. (It's just one clarification for the question from below Felix's mail). We also noticed OpenSSL community ever tried some experiences to add the supports for this kind of intermediate root. Please refer to the following threads: http://marc.info/?l=openssl-usersm=128943213002702 Once any formal / official support is ready, we will catch the update. And if any security risks were found based on current workaround, please let us know, and we will fix them asap. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: this list
On 3/17/12 1:27 AM, John A. Wallace wrote: Is this list available from gmane or some similar way that allows it to be read with a newsreader? Thanks. nntp://news.gmane.org/gmane.comp.encryption.openssl.user http://dir.gmane.org/gmane.comp.encryption.openssl.user http://gmane.org/find.php?list=openssl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL with Managed C++
Can we use OpenSSL lib with Managed C++? Thanks. http://openssl-net.sourceforge.net/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Let's talk about HTTPS Everywhere
Ok. It's a Firefox Add-on: https://www.eff.org/https-everywhere Questions: 1) But: Why can't i find it on the offical Firefox Add-ons site?: https://addons.mozilla.org/en-US/firefox/ Because you're looking in the wrong place. It is wrong to assume that 100% of XPIs are hosted at AMO. Most are, but not all. 2) Did anyone audited the HTTPS Everywhere code? It's written by the TorProject team, who wrote Tor, and TorButton. If you trust Tor, and Firefox, and the EFF, you might like this. 3) Can someone trust this Add-on? Is it safe to install/use? See 2. 4) If it's so great why isn't it more prevalent? See 1 and 2. What's youre opinion? Or answer? :\ Tor project hosts the plugins source code. They have it under Git version control, bugs in Trac. You need to be on the Tor dev and commits list to see the activity. EFF hosts a user mailing list (and one for rules). https://blog.torproject.org/blog/https-everywhere-firefox-addon-helps-you-encrypt-web-traffic https://gitweb.torproject.org/https-everywhere.git https://trac.torproject.org/projects/tor/query?status=acceptedstatus=assignedstatus=newstatus=reopenedgroupdesc=1group=typemax=200component=EFF-HTTPS+Everywhereorder=prioritycol=idcol=summarycol=componentcol=statuscol=typecol=prioritycol=milestonereport=19 https://mail1.eff.org/mailman/listinfo/https-everywhere https://mail1.eff.org/pipermail/https-everywhere/2011-January/000732.html https://mail1.eff.org/mailman/listinfo/https-everywhere-rules HTH. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org